From 1c285ade7a6638afc8d00893d9756b567fd9c60c Mon Sep 17 00:00:00 2001 From: Mate Molnar Date: Mon, 8 Jul 2024 14:58:38 +0200 Subject: [PATCH] BUILD-5580: Add missing id-token: write permissions for the Vault action and update the action to v3 --- .github/workflows/add_language.yml | 7 +++++-- .github/workflows/create_new_rspec.yml | 5 ++++- .github/workflows/main.yml | 3 ++- .github/workflows/update_coverage.yml | 7 ++++--- .github/workflows/update_quickfix_status.yml | 7 +++++-- 5 files changed, 20 insertions(+), 9 deletions(-) diff --git a/.github/workflows/add_language.yml b/.github/workflows/add_language.yml index 38858ab8ea..116ba8c838 100644 --- a/.github/workflows/add_language.yml +++ b/.github/workflows/add_language.yml @@ -14,12 +14,15 @@ on: jobs: add_language_to_rule: - runs-on: ubuntu-latest + runs-on: ubuntu-latest + permissions: + id-token: write # OIDC auth for Vault + contents: read # checkout steps: - name: 'get secrets' id: secrets - uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4 + uses: SonarSource/vault-action-wrapper@v3 with: secrets: | development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; diff --git a/.github/workflows/create_new_rspec.yml b/.github/workflows/create_new_rspec.yml index 0dcf4ef531..042c69e8fb 100644 --- a/.github/workflows/create_new_rspec.yml +++ b/.github/workflows/create_new_rspec.yml @@ -12,11 +12,14 @@ on: jobs: create_new_rule: runs-on: ubuntu-latest + permissions: + id-token: write # OIDC auth for Vault + contents: read # checkout steps: - name: 'get secrets' id: secrets - uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4 + uses: SonarSource/vault-action-wrapper@v3 with: secrets: | development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 604045f41a..0533d92585 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,12 +9,13 @@ jobs: build-and-deploy: runs-on: ubuntu-20.04 permissions: + id-token: write # OIDC auth for Vault pull-requests: read # Get the list and metadata of open new-rule PRs contents: write # Get the contents of open new-rule PRs, the 'master'; write to 'gh-pages' branch steps: - name: 'get secrets' id: secrets - uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4 + uses: SonarSource/vault-action-wrapper@v3 with: secrets: | development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; diff --git a/.github/workflows/update_coverage.yml b/.github/workflows/update_coverage.yml index 0f1d1193aa..08ee2613d5 100644 --- a/.github/workflows/update_coverage.yml +++ b/.github/workflows/update_coverage.yml @@ -5,16 +5,17 @@ on: jobs: update_coverage: - permissions: - id-token: write runs-on: ubuntu-latest + permissions: + id-token: write # OIDC auth for Vault + contents: read # checkout env: TMP_BRANCH: temporary/coverage_update steps: - name: 'get secrets' id: secrets - uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4 + uses: SonarSource/vault-action-wrapper@v3 with: secrets: | development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; diff --git a/.github/workflows/update_quickfix_status.yml b/.github/workflows/update_quickfix_status.yml index e40063c77a..78cc8989e3 100644 --- a/.github/workflows/update_quickfix_status.yml +++ b/.github/workflows/update_quickfix_status.yml @@ -1,6 +1,6 @@ name: Update quick fix status -on: +on: workflow_dispatch: inputs: rule: @@ -26,10 +26,13 @@ jobs: update_quickfix_status: name: Update quick fix status runs-on: ubuntu-20.04 + permissions: + id-token: write # OIDC auth for Vault + contents: read # checkout steps: - name: 'get secrets' id: secrets - uses: SonarSource/vault-action-wrapper@7160b50d75c02fe48eb3c8d354ca4fd7029f546a # tag=2.5.0-4 + uses: SonarSource/vault-action-wrapper@v3 with: secrets: | development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN;